[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-taxii] HTTPs
Patrick Maroney wrote this message on Mon, Feb 22, 2016 at 20:20 +0000: > The whole set of topics around leveraging existing standards for AAA, Encryption, Non-repudiation, Provenance, is deep and in my opinion not as fully vetted as it deserves. The main corollary being ensuring we are not re-inventing well vetted, well established "wheels". > > However, specific to this point, there are a number of development and operational deployment scenarios where HTTP is a very valuable transport protocol. Just for one example, one can architect a massively scalable, hardened security infrastructure using F5 Aplliances to provide a very strong external security perimeter while running all internal services over clear channel protocols like HTTP. In this model operating your internal transport layers between isolated web/application servers over clear channels provides many performance, oversight/monitoring, operational troubleshooting, etc. capabilities. I would point out that a spec requiring HTTPS for TAXII does not prevent anyone from doing the above... The HTTPS part is a MTI to be called TAXII... Any vendor is free to implement TAXII and add extensions onto TAXII which disable HTTPS, but what they can't do is not implement HTTPS and say their product implements the TAXII specification... -- John-Mark
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]